Adobe is changing the world through digital experiences. Our creative, marketing and document solutions empower everyone — from emerging artists to global brands — to bring digital creations to life and deliver them to the right person
at the right moment for the best results.

Security bulletin

Security update available for BlazeDS

Release date: February 11, 2010

Last updated: March 5, 2010

Vulnerability identifier: APSB10-05

CVE number: CVE-2009-3960

Platform: All

Summary

An important vulnerability (CVE-2009-3960) has been identified in BlazeDS 3.2 and earlier versions. When processing incoming requests, XML external entity references and injected tags can result in disclosure of information. This issue affects LiveCycle 9.0, 8.2.1 and 8.0.1, and ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2, which are installed with different versions of Data Services products. Adobe has provided a solution for the reported vulnerability for each affected Adobe product. It is recommended that users update their installations of each affected Adobe product to the latest version using the instructions provided below.

Affected software versions

Solution

BlazeDS
Prerequisite: Requires that BlazeDS 3.2 already be installed.
Installation Instructions:
1. Download the patch zip file for BlazeDS 3.2, and extract the contents to your local file system.
2. Copy the files flex-messaging-core.jar and flex-messaging-common.jar to the /WEB-INF/lib/ directory of the BlazeDS web application you want to apply the hotfix to.Note: For nightly builds of the BlazeDS Trunk branch or the BlazeDS 3.x branch, customers are advised to update to the latest nightly build. This issue was resolved in BlazeDS 3.x build 12617 (and later builds) and BlazeDS Trunk build 12583 (and later builds).

Severity rating

Adobe categorizes these as important updates and recommends that users apply each update for their respective product installation(s).

Details

An important vulnerability (CVE-2009-3960) has been identified in BlazeDS 3.2 and earlier versions. When processing incoming requests, XML external entity references and injected tags can result in disclosure of information. Information disclosure is limited to files readable by the server process running BlazeDS, which may include sensitive information in certain customer environments. This issue affects LiveCycle 9.0, 8.2.1 and 8.0.1, and ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2, which are installed with different versions of Data Services products. Adobe has provided a solution for the reported vulnerability for each affected Adobe product. It is recommended that users update their installations of each affected Adobe product to the latest version using the instructions provided above.

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers: